fix(deps): bump form-data to patched 2.5.6/3.0.5/4.0.6#37
Open
clarion-by-cantina[bot] wants to merge 1 commit into
Open
fix(deps): bump form-data to patched 2.5.6/3.0.5/4.0.6#37clarion-by-cantina[bot] wants to merge 1 commit into
clarion-by-cantina[bot] wants to merge 1 commit into
Conversation
Resolve GHSA-hmw2-7cc7-3qxx (CVE-2026-12143) CRLF injection in form-data. Add scoped npm overrides to bump all transitive form-data instances to the first patched release within their major line.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
form-datato patched versions to address a CRLF injection vulnerability (GHSA-hmw2-7cc7-3qxx / CVE-2026-12143, CWE-93).form-datais a transitive runtime dependency (pulled in viaaxios,graphql-request,@types/node-fetch,request, and@pinata/sdk). Five vulnerable instances were installed across the 2.x / 3.x / 4.x lines. This PR adds scoped npmoverridesto bring each instance to the first patched release within its own major line, avoiding breaking API changes for the consuming packages.Severity note: GitHub/CVSS rates this high (7.5), but the advisory is explicitly conditional — it is only exploitable when an application passes untrusted input as a multipart field name or filename.
routing-apinever importsform-datadirectly and never constructs multipart bodies from untrusted input (outbound calls use JSON). Real-world exposure for this service is therefore low. This bump is applied as dependency hygiene to clear the finding.Vulnerability
< 2.5.6→2.5.6,>= 3.0.0 < 3.0.5→3.0.5,>= 4.0.0 < 4.0.6→4.0.6Changes
package.json— added scopedoverridesforform-data(per major line).package-lock.json— regenerated; allform-datainstances now resolve to patched versions:2.5.1→2.5.6(top-level / request / @pinata/sdk)3.0.1→3.0.5(graphql-request)4.0.0→4.0.6(axios / @types/node-fetch)Validation
npm cisucceeds (lockfile in sync).prettier --checkpasses on the changed files (package.json,package-lock.json).yarn.lockintentionally left unchanged — CI installs vianpm ci; npmoverridesare not consumed by yarn.Notes
Prettiercheck reports 17 formatting errors, all in source files this PR does not touch (lib/**/*.ts,tsconfig.json). These formatting issues exist onmainindependently of this dependency bump and are out of scope here. TheRun lintersjob and all Wiz scanners pass.View in Clarion
Automated remediation by Clarion.